Luna Network HSM Appliance Software 7.0.0
Luna Network HSM 7.0.0 was released in June 2017 and came pre-installed on Luna Network HSMs until August 2018.
New Features and Enhancements
Luna Network HSM 7.0.0 includes the following new features and enhancements:
New Luna Network HSM Appliance
The Luna Network HSM 7 has a new chassis and offers enhanced installation, maintenance, security, and usability features, including the following:
>Optional sliding mounting rails provide simplified installation and improved access for performing maintenance tasks and accessing the network ports.
>A locking faceplate bezel restricts access to the front of the appliance for enhanced security.
>A new LCD display provides a quick view of the appliance network configuration and overall health.
>Four 1GB Ethernet interface ports with port bonding (eth0 and eth1 to bond0 and/or eth2 and eth3 to bond1), for redundancy and enhanced reliability.
See Appliance Hardware Functions.
Partition Security Officer
All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM, providing a highly secure multi-tenant solution.
See Partition Roles.
Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.
Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.
Improved Random Number Generation
The performance of Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:
New Cryptographic Mechanism Support
Luna Network HSM 7 adds support for the following cryptographic algorithms:
>SP800-108 HMAC (RSA & ECC)
>AES-XTS - disk encryption standard
Increased Key Storage Capacity
Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).
Secure Transport Mode Redesigned
Secure Transport Mode (STM) in Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.
The Luna Network HSM REST API web application allows you to use a set of scriptable REST APIs to perform some LunaSH functions.
See REST API Reference.
The Luna Network HSM 7 now supports IPv6, using static addressing, SLAAC, or DHCP.
See IPv6 Support and Limitations.
Improved Serial Access
Serial access to the Luna Network HSM is via an RJ45 serial port. A custom Prolific Technologies USB to RJ45 cable with a standard 8P8C modular connector is included. The cable requires the PL2303 driver, which you can download from https://www.prolific.com.tw.
See Opening a Serial Connection.
Enable Decommission on Tamper
A new capability, Enable Decommission on Tamper, allows you to set HSM policy 40 to decommission the HSM in the event of a tamper.
See HSM Capabilities and Policies.
Controlled Tamper Recovery
If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.
See Tamper Events.
This section highlights important issues you should be aware of before deploying appliance software 7.0.0.
HSM Logs Sent to Messages Log
The hsm.log file is deprecated and has been removed from this release. The HSM logs are now sent to the messages log.
NOTE Although it is ignored, the hsm option appears in the syntax for some syslog commands (such as syslog tail -logfiles).
Deprecated and Discontinued Features
The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:
>Host trust links (HTL)
>NTLS keys in hardware
>Small form factor (SFF) backup
>Watchdog, CPU Governor